Greetings Xwiki Gurus, I've been trying to get our installation authenticating with LDAP and am having no luck. We are running XWiki 4.3 in Tomcat 7.0.34 on Windows Server 2008 R2 Standard. I have installed the LDAP Application Extension and tried configuring it both through the web interface and xwiki.config with no success. Every time I attempt to login I receive an Invalid Credentials error (stack trace below,) and the LDAP section from xwiki.config file is below that. I've tried a number of different values for the server, bind DN, and the base DN, but nothing works. Any suggestions are greatly appreciated? Is there any additional logging that I can add for more information?
Thanks, Barry 2013-01-30 10:12:55,825 [http://usa-111b4s1.nov.com:8080/xwiki/bin/loginsubmit/X Wiki/XWikiLogin] TRACE u.i.L.XWikiLDAPAuthServiceImpl - Starting LDAP authentica tion 2013-01-30 10:12:55,825 [http://usa-111b4s1.nov.com:8080/xwiki/bin/loginsubmit/X Wiki/XWikiLogin] DEBUG u.i.L.XWikiLDAPAuthServiceImpl - The provided user is nul l. We don't try to authenticate, it probably means the user is in non logged mod e. 2013-01-30 10:12:55,825 [http://usa-111b4s1.nov.com:8080/xwiki/bin/loginsubmit/X Wiki/XWikiLogin] TRACE u.i.L.XWikiLDAPAuthServiceImpl - Starting LDAP authentica tion 2013-01-30 10:12:55,840 [http://usa-111b4s1.nov.com:8080/xwiki/bin/loginsubmit/X Wiki/XWikiLogin] DEBUG c.x.x.p.l.XWikiLDAPConfig - ldap_group_classes: [gro upofnames, groupwisedistributionlist, dynamicgroup, dynamicgroupaux, groupofuniq uenames, group] 2013-01-30 10:12:55,840 [http://usa-111b4s1.nov.com:8080/xwiki/bin/loginsubmit/X Wiki/XWikiLogin] DEBUG c.x.x.p.l.XWikiLDAPConfig - ldap_group_memberfields: [member, uniquemember] 2013-01-30 10:12:55,857 [http://usa-111b4s1.nov.com:8080/xwiki/bin/loginsubmit/X Wiki/XWikiLogin] DEBUG c.x.x.p.l.XWikiLDAPConnection - Connection to LDAP serve r [ldap.nov.com:389] 2013-01-30 10:12:55,868 [http://usa-111b4s1.nov.com:8080/xwiki/bin/loginsubmit/X Wiki/XWikiLogin] DEBUG c.x.x.p.l.XWikiLDAPConnection - Binding to LDAP server w ith credentials login=[cn=papeb,dc=nov,dc=com] 2013-01-30 10:12:55,928 [http://usa-111b4s1.nov.com:8080/xwiki/bin/loginsubmit/X Wiki/XWikiLogin] DEBUG u.i.L.XWikiLDAPAuthServiceImpl - Local LDAP authenticatio n failed. com.xpn.xwiki.plugin.ldap.XWikiLDAPException: Error number 0 in 5: LDAP bind fai led with LDAPException. Wrapped Exception: Invalid Credentials at com.xpn.xwiki.plugin.ldap.XWikiLDAPConnection.open(XWikiLDAPConnectio n.java:184) ~[xwiki-platform-legacy-oldcore-4.4.jar:na] at com.xpn.xwiki.plugin.ldap.XWikiLDAPConnection.open(XWikiLDAPConnectio n.java:113) ~[xwiki-platform-legacy-oldcore-4.4.jar:na] at com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.ldapAuthenticat eInContext(XWikiLDAPAuthServiceImpl.java:305) [xwiki-platform-legacy-oldcore-4.4 .jar:na] #------------------------------------------------------------------------------------- # LDAP #------------------------------------------------------------------------------------- #-# LDAP authentication service xwiki.authentication.authclass=com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl #-# Turn LDAP authentication on - otherwise only XWiki authentication #-# - 0: disable #-# - 1: enable #-# The default is 0 xwiki.authentication.ldap=1 #-# LDAP Server (Active Directory, eDirectory, OpenLDAP, etc.) xwiki.authentication.ldap.server=ldap.nov.com xwiki.authentication.ldap.port=389 #-# LDAP login, empty = anonymous access, otherwise specify full dn #-# {0} is replaced with the user name, {1} with the password xwiki.authentication.ldap.bind_DN= cn={0},dc=nov,dc=com xwiki.authentication.ldap.bind_pass={1} #-# The Base DN used in LDAP searches xwiki.authentication.ldap.base_DN=dc=nov,dc=com #-# LDAP query to search the user in the LDAP database (in case a static admin user is provided in #-# xwiki.authentication.ldap.bind_DN) #-# {0} is replaced with the user uid field name and {1} with the user name #-# The default is ({0}={1}) # xwiki.authentication.ldap.user_search_fmt=({0}={1}) #-# Only members of the following group will be verified in the LDAP #-# otherwise only users that are found after searching starting from the base_DN # xwiki.authentication.ldap.user_group=cn=developers,ou=groups,o=MegaNova,c=US #-# [Since 1.5RC1, XWikiLDAPAuthServiceImpl] #-# Only users not member of the following group can autheticate # xwiki.authentication.ldap.exclude_group=cn=admin,ou=groups,o=MegaNova,c=US #-# Specifies the LDAP attribute containing the identifier to be used as the XWiki name #-# The default is cn # xwiki.authentication.ldap.UID_attr=sAMAccountName #-# [Since 1.5M1, XWikiLDAPAuthServiceImpl] #-# The potential LDAP groups classes. Separated by commas. # xwiki.authentication.ldap.group_classes=group,groupOfNames,groupOfUniqueNames,dynamicGroup,dynamicGroupAux,groupWiseDistributionList #-# [Since 1.5M1, XWikiLDAPAuthServiceImpl] #-# The potential names of the LDAP groups fields containings the members. Separated by commas. # xwiki.authentication.ldap.group_memberfields=member,uniqueMember #-# retrieve the following fields from LDAP and store them in the XWiki user object (xwiki-attribute=ldap-attribute) #xwiki.authentication.ldap.fields_mapping=last_name=sn,first_name=givenName,email=mail #-# [Since 1.3M2, XWikiLDAPAuthServiceImpl] #-# On every login update the mapped attributes from LDAP to XWiki otherwise this happens only once when the XWiki #-# account is created. #-# - 0: only when creating user #-# - 1: at each authentication #-# The default is 0 #xwiki.authentication.ldap.update_user=1 #-# [Since 1.3M2, XWikiLDAPAuthServiceImpl] #-# Maps XWiki groups to LDAP groups, separator is "|". The following kind of groups are supported: #-# * LDAP static groups (users/subgroups are listed statically in the group object) #-# * [Since 3.3M1] LDAP organization units (users/subgroups are sub object of the provided organization unit) #-# * [Since 3.3M1] LDAP filter (users/groups are object found in a search with the provided filter), #-# | character in the filter need to be escaped with backslash (\). #-# #-# Here is an example: # xwiki.authentication.ldap.group_mapping=XWiki.XWikiAdminGroup=cn=AdminRole,ou=groups,o=domain,c=com|\ # XWiki.LDAPUsers=ou=groups,o=domain,c=com|\ # XWiki.Organisation=(cn=testers) #-# [Since 1.3M2, XWikiLDAPAuthServiceImpl] #-# Time in s after which the list of members in a group is refreshed from LDAP #-# The default is 21600 (6 hours) # xwiki.authentication.ldap.groupcache_expiration=21600 #-# [Since 1.3M2, XWikiLDAPAuthServiceImpl] #-# - create : synchronize group membership only when the user is first created #-# - always: synchronize on every login #-# The default is always # xwiki.authentication.ldap.mode_group_sync=always #-# [Since 1.3M2, XWikiLDAPAuthServiceImpl] #-# If ldap authentication fails for any reason, try XWiki DB authentication with the same credentials #-# - 0: disable #-# - 1: enable #-# The default is 0 xwiki.authentication.ldap.trylocal=1 #-# [Since 1.3M2, XWikiLDAPAuthServiceImpl] #-# SSL connection to LDAP server #-# - 0: normal #-# - 1: SSL #-# The default is 0 # xwiki.authentication.ldap.ssl=0 #-# [Since 1.3M2, XWikiLDAPAuthServiceImpl] #-# The keystore file to use in SSL connection # xwiki.authentication.ldap.ssl.keystore= #-# [Since 1.5M1, XWikiLDAPAuthServiceImpl] #-# The java secure provider used in SSL connection #-# The default is com.sun.net.ssl.internal.ssl.Provider # xwiki.authentication.ldap.ssl.secure_provider=com.sun.net.ssl.internal.ssl.Provider #-# Bypass standard LDAP bind validation by doing a direct password comparison. #-# If you don't know what you do, don't use that. It's covering very rare and bad use cases. #-# - 0: disable #-# - 1: enable #-# The default is 0 # xwiki.authentication.ldap.validate_password=0 #-# [Since 1.5M1, XWikiLDAPAuthServiceImpl] #-# Specifies the LDAP attribute containing the password to be used "when xwiki.authentication.ldap.validate_password" #-# is set to 1 # xwiki.authentication.ldap.password_field=userPassword #-# [Since 4.3M1, XWikiLDAPAuthServiceImpl] #-# The maximum number of milliseconds the client waits for any operation under these constraints to complete. #-# The default is 1000 # xwiki.authentication.ldap.timeout=1000 _______________________________________________ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
